Data Security, Privacy and Institutional Review Board (IRB) Approval
EvaluateUR is intended to be used by a program or institution to more fully understand the impact of its undergraduate research program. The data are collected and stored by the SERC office at Carleton College which does not use the data itself in any way other than to support the individual programs that subscribe to the service. Since these activities do not involve disseminating the results to a wider audience or otherwise engaging in formal research they do not require oversight by an institutional review board.
Should you want to use the EvaluateUR data as part of any systematic investigation designed to develop or contribute to generalizable knowledge you must seek approval from your local IRB. The approval process will need to be completed before any data are collected. If you think you will use the EvaluateUR in this way please contact us directly before proceeding as you'll need to coordinate gaining IRB approval with existing approvals for the process.
Information about Data Security
Data collected from the EvaluateUR are kept private except as needed to support the mechanics of the program. Our security and privacy processes are detailed below:
Data are be collected from students and their mentors through a series of online forms hosted within Serckit, an online content management system developed and managed by the SERC office at Carleton College. All data in Serckit are stored in server facilities managed by Amazon and so physical security of the data is ensured by Amazon's security policies detailed here: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
All interactions with Serckit systems take place over secure, encrypted network connections via TLS. All data are stored, both in the primary database and all backups in encrypted form.
Direct access to the underlying Serckit servers is only available, via private key authenticated ssh, to SERC system administration staff who need access to maintain the servers. All other access is via Serckit's web interface, mediated by Serckit's authentication and access infrastructure. This system ensures access to the student and mentor data is only granted as needed to support the program. Specifically:
- individual students have access to their mentor's responses as that is a core element of the program
- likewise individual mentors have access to their student's responses
- The designated program administrator has full access to their program's information in order to manage and oversee the program
- Jill Singer, EvaluateUR Director, and the SERC staff at Carleton College have full access to the system and data solely to support local program administrators in trouble-shooting their local use of the system. The EvaluateUR program and SERC do not otherwise access or make use of any data collected from students and their mentors in any way.
Data are only stored in the system for one year. This is intended to support use by the local program during the research process and immediately after the research program when the local program administrator may need to access the data for program evaluation purposes. All student/mentor data is removed from the systems within one year after a student/mentor pair starts their research process. At that point it is no longer stored in Serckit and no longer available to the EvaluateUR project or SERC. In the event that program or institution wants to retain their data the site administrator should download a copy of the data before it is removed from Serckit.
Serckit has been in operation since 2002, hosting over 150 grant-funded websites. The system manages the authentication for over 10,000 user accounts and hosts over 100,000 web pages for 5 million visitors each year.